5

As my provider does not give me a public IPv4 Address, I am using a VPS combined with a Wireguard tunnel to make my homeserver reachable from the Internet (via Ipv4 and Ipv6).

On my homeserver, the traffic arrives first on a reverse proxy (Traefik). Currently, I am using rinetd to forward the incoming traffic of port 80/443 on the VPS to the Wireguard IP-Address of my Homeserver (10.10.0.2). This works but has the problem that the source IP of the packets is always the wireguard IP of my VPS (10.10.0.1). This is a known limitation of rinetd (https://manpages.ubuntu.com/manpages/bionic/man8/rinetd.8.html).

Plan: Internet <-> (ens192) VPS (wg1) <-> (wg1) homeserver

Solution:

For anyone having this problem at a later point, here is the solution.

Iptables config on the VPS:

iptables -I FORWARD -d 10.10.0.2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -s 10.10.0.2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination 10.10.0.2:80
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination 10.10.0.2:443
iptables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]

ip6tables -I FORWARD -d fdb0:926d:918e::2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -I FORWARD -s fdb0:926d:918e::2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination [fdb0:926d:918e::2]:80
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination [fdb0:926d:918e::2]:443
ip6tables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]

On the homeserver: Configure routing:

ip -4 route add default dev wg1 table 4242
ip -6 route add default dev wg1 table 4242

ip -4 rule add pref 500 from 10.10.0.2 lookup 4242
ip -6 rule add pref 500 from fdb0:926d:918e::2 lookup 4242

and also configure the wireguard allowedIPs to allow all IPs, except the local (home) network and the public IPv4 and IPv6 of my VPS.

turbothorsten
  • 53

1 Answers1

1

Following this, I was able to make my homeserver availible using iptables, but the source IP was still only 10.10.0.1.

Because you added an SNAT rule to force the source IP, I would assume. The tutorial tells you to apply SNAT so that the homeserver would be tricked into correctly replying via the same WireGuard tunnel, instead of sending its replies to WAN IPs directly towards its regular default route. (Without it, clients would attempt to talk to your VPS IP but receive replies from your ISP public IP.)

Remove the SNAT rule from iptables of the VPS, then set up policy routing on the homeserver as an alternative, as documented in a few past threads. Use either ip rule or systemd-networkd's [RoutingPolicyRule] to ensure that if the replies are coming from the homeserver's WireGuard IP, they will be routed via WireGuard as well. (It might be useful to specify wg-quick's Table= option here, then you could create a rule that just references the table that wg-quick creates.)

grawity
  • 501,077